Manage orphaned knowledge objects

When a knowledge object owner leaves a department or company and their Splunk account is deactivated, the knowledge objects that they owned remain in the system. These are orphaned knowledge objects. Knowledge objects without valid owners can cause problems. For example, searches that refer to orphaned lookup definitions may not work.

Orphaned scheduled reports can be a particular problem. The search scheduler cannot run a scheduled report on behalf of a nonexistent owner. This happens because the scheduled report is no longer associated with a role. Without that role association, the search scheduler has no way of knowing what search quotas and concurrent search configurations the report is limited by. As a result, it will not run the scheduled report on its schedule at all. This can result in broken dashboards and embedded searches, data collection gaps in summary indexes, and more.

Orphaned knowledge objects also present a security concern, whether they are scheduled or not. There are a variety of reasons that you should not allow knowledge objects to operate on behalf of owners who are no longer in your system.

The Splunk software provides several methods of detecting orphaned knowledge objects. Once you have found orphaned knowledge objects, you have several options for resolving their orphaned status.

Find orphaned knowledge objects

There are several ways that you can find out whether or not you have orphaned knowledge objects in your Splunk implementation. Most of these detection methods specialize in orphaned scheduled reports, because they tend to cause the most problems for users.

The Reassign Knowledge Objects page in Settings is the only orphaned knowledge object detection method that can find all orphaned knowledge object types. It can only find orphaned knowledge objects that have been shared at the app or global levels.

These detection methods have no way of knowing when people are removed using a third-party user authentication system.

Review orphaned scheduled search notifications

By default your Splunk implementation runs a search to find orphaned scheduled reports on a daily schedule. When it finds orphaned scheduled reports it creates a notification message. If you open that message you can click a link to see a list of the orphaned reports in the Orphaned Scheduled Searches, Reports, and Alerts dashboard.

Steps

Click Messages when the UI indicates there are messages there.

If you find a message indicating that the Splunk software has found orphaned scheduled searches, click the message link to run a search that displays the orphaned scheduled searches.

Look at the Orphaned Scheduled Searches, Reports, and Alerts dashboard and report

The Orphaned Scheduled Searches, Reports, and Alerts dashboard is delivered with your Splunk implementation. When you access it, the dashboard loads with the results of the Orphaned Searches, Reports and Alerts report, which is designed to return the names of any orphaned scheduled reports in your system.

You can run the Orphaned Searches, Reports And Alerts report directly from the Reports listing page to get the same results.

Run the Monitoring Console health check

If you have the Monitoring Console configured for your Splunk instance, you can use its health check feature to detect orphaned scheduled searches, reports, and alerts. It will tell you how many of these knowledge objects exist in your system. You have to run a drilldown search to see a list that identifies the orphaned searches by name.

Open the Monitoring Console by selecting Settings > Monitoring Console.

Select the Health Check tab.

Click the Start button in the upper right corner to run the health check. By default, the health check will search for orphaned scheduled searches, reports, and alerts. If the health check finds orphaned searches, the Monitoring Console marks the Orphaned Scheduled Searches row with an Error notification moves it to the top of the health check list, alongside other rows with Error notifications.

Click the Orphaned Scheduled Searches row to launch a drill down search. This search displays the names of the orphaned scheduled searches.

Use the Reassign Knowledge Objects page in Settings

The Reassign Knowledge Objects page in Settings is the only orphaned knowledge object detection method that detects all knowledge objects (not just searches, reports, and alerts). However, it can only find knowledge objects that have been shared to the app or global levels.

Steps

Select Settings > All configurations.

Click Reassign Knowledge Objects.

Click Orphaned to filter out non-orphaned objects from the list.

At this point, the list should only contain orphaned objects that have been shared. Now you can determine what you want to do with the items in that list.

Reassign one or more shared knowledge objects to a new owner

Use the Reassign Knowledge Objects page in Settings to reassign a knowledge object to a new owner. The Reassign Knowledge Objects page can reassign both owned and orphaned knowledge objects. It is designed to work with all Splunk deployments, including those that use search head clustering (SHC).

Knowledge object ownership changes can have side effects such as giving saved searches access to previously inaccessible data or making previously available knowledge objects unavailable. Review your knowledge objects before you reassign them.

Only users with the Admin role can reassign knowledge objects to new owners.

Find the knowledge object or objects you want to reassign

First, you need to use the filtering options on the Reassign Knowledge Objects page to help you find the knowledge object or objects that you want to reassign.

Steps

Select Settings > All configurations.

Click Reassign Knowledge Objects.

Find the object or objects that you want to reassign.

Objects to find

Step to follow

Objects belonging to an owner with an active account.

Click Filter by Owner and select the owner name from the dropdown.

All shared, orphaned objects.

Click Orphaned.

Objects belonging to a specific knowledge object type.

Make a selection from the Object type dropdown.

Objects belonging to a specific app.

Make a selection from the App dropdown. You can optionally switch All Objects to Objects created in the app to filter out objects created in apps other than the app you have selected.

Objects that include a particular text string.

Enter the string into the filter field and click Return.

Your next steps depend on how many knowledge objects you want to reassign to a different owner.

Reassign a single knowledge object to another owner

If you are using the Reassign Knowledge Objects page to reassign an individual object to another owner, follow these steps.

Select the checkboxes next to the objects that you want to reassign. If you want to reassign all objects in the list to the same owner, click the checkbox at the top of the checkbox column.
You can reassign up to 100 objects in one bulk reassignment action.

Click Edit Selected Knowledge Objects and select Reassign.

(Optional) Remove knowledge objects that you have accidentally selected by clicking the X symbols next to their names.

Click Select an owner and select the name of the person that you want to bulk-reassign the selected knowledge objects to.

Click Save to save your changes.

Reassign unshared, orphaned knowledge objects

If you want to reassign orphaned knowledge objects that had a Private sharing status when they were orphaned, you cannot reassign them through the UI, or through REST API calls. There are two ways to reassign unshared, orphaned knowledge objects. You can temporarily recreate the invalid owner, or you can copy and paste the knowledge object stanza between the configuration files of the invalid and valid owners.

Temporarily recreate the invalid owner

The easiest solution for this is to temporarily recreate the invalid owner account, reassign the knowledge object, and then deactivate the invalid owner account.

Prerequisites

See About users and roles in the Admin Manual to learn how to add and remove users from your Splunk implementation.

Steps

Add the invalid knowledge object owner as a new user in your Splunk deployment.

Use the Reassign Knowledge Objects page to assign the knowledge object to a different active owner.

Deactivate the invalid owner account.

Perform a knowledge object stanza copy and paste operation between two .conf files

If you cannot reactivate invalid owner accounts, you can transfer ownership of unshared and orphaned knowledge objects by performing a .conf file stanza cut and paste operation. You cut the knowledge object stanza out of a .conf file belonging to the invalid owner and paste it into the corresponding .conf file of a valid owner.

Prerequisites

To use this method you must meet the following requirements:

You must be using either Splunk Enterprise or Splunk Light.

You must have filesystem access.

You cannot be running SHC on your Splunk deployment.

You must be able to restart your Splunk deployment.

Steps

In the filesystem of your Splunk deployment, open the the .conf file for the invalid owner at etc/users/<name_of_invalid_user>/search/local/<name_of_conf_file>.

Locate the stanza for the orphaned knowledge object and cut it out.

Save your changes to the file and close it.

Open the the corresponding .conf file for the new owner at etc/users/<name_of_valid_user>/search/local/<name_of_conf_file>.

Copy the knowledge object stanza that you just cut to the .conf file for the valid owner.

Save your changes to the file and close it.

Restart your Splunk deployment so the changes take effect.

About resolving orphaned scheduled searches

The action you take to resolve an orphaned scheduled search, report, or alert depends on what you want it to do going forward.

Turn off notifications of orphaned searches

By default, Splunk software notifies you about orphaned searches. If you would rather not receive these notifications, open limits.conf, look for the [system_checks] stanza, and set orphan_searches to disabled.

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »